Health Insurance Portability and Accountability Act (HIPAA) Training

INTRODUCTION

Training create an important opportunity for FAU to convey its organizational values, including its commitment to ethical and legal conduct, as well as to help ensure compliance with various HIPAA privacy and security rules and standards.  Both role and job-based training provide individuals who may/will come in extensive contact with protected health information (PHI) the appropriate resources and training to carry out their duties and responsibilities (e.g., how to handle and use PHI, as well as to understand the principles of administrative, physical and technical safeguards to protect PHI). 

APPLICABILITY

Training in the Privacy Rule and Security Standards of Health Information is required for all members of FAU’s workforce in the Covered Components as well as those working on their behalves.  Human Resources is responsible for the administration of the training program. 

SCOPE

All members of FAU’s Workforce in the Covered Components and other areas as identified by Human Resources, including faculty, staff, students, and volunteers, are required to complete appropriate training modules during the onboarding process and annually thereafter.  Additionally, individuals working with the Covered Components, as well as individuals who may come into extensive contact with PHI because of the nature of their position, role or job category, will also be required to complete the HIPAA training modules.

DEFINITIONS

Covered Component – health care components of a Hybrid Entity, named and designated by the Hybrid Entity, that engage in Covered Functions, and any component that engages in activities that would make it a Business Associate of a Covered Component if the two components were separate legal entities.

Covered Entity – A health plan, health care clearinghouse, or health care provider who transmits any health information in electronic form in connection with a transaction covered by the Privacy Rule; the Covered Entity refers to the health care components of FAU that engage in Covered Functions.

Covered Functions - activities of a Covered Entity, the performance of which makes the entity a health plan, a health care clearinghouse, or a health care provider subject to the Privacy Rule.

Hybrid Entity - A single legal entity that is a Covered Entity, performs business activities that include both Covered and non-Covered Functions, and that designates its health care components in accordance with the Privacy Rule.

Workforce Members – Employees, volunteers, trainees, and other persons whose conduct in the performance of work for a Covered Component, is under the direct control of such component, whether or not they are paid by that component.

TRAINING REQUIREMENTS

All Workforce Members in the Covered Components, individuals working extensively with the Covered Components, and individuals, identified by Human Resources, who may significantly come into contact with PHI because of the nature of their position, role or job category (e.g., office of information security, accounts payable, financial aid, etc., must fulfill the following core training requirements annually: 

HIPAA Privacy Essentials – 1 hour course

This course presents an overview of HIPAA, and outlines the key provisions of HIPAA and the Privacy Rule and the applicability of HIPAA.  It also discusses PHI, authorizations and notifications, as well as complaints, enforcement and penalties.

HIPAA Security Rule for Covered Entities – 30 minute course

This course provides an overview of the security obligations related to electronic PHI imposed on the workforce of covered entities.  Specifically, this course explains various safeguards that covered entities should implement as well as discusses secure practices related to electronic PHI.

HIPAA Security Rule for Business Associates – 30 minute course


This course provides business associates with an overview of their obligations in storing, handling and transmitting PHI consistent with Security Standards.

Individuals falling into the above categories, must fulfill their training requirements as follows:

  1. Within 15 days after an individual joins the workforce, and prior to accessing any PHI;
  2. Within 15 days after a role, job or position change that either places an individual within a Covered Component, working extensively with a Covered Component, or places the individual in a role, job or position where he/she comes into contact with PHI; and
  3. Annually (i.e., refresher training) by all Workforce Members, individuals working with the Covered Components, and individuals who may come into contact with PHI because of the nature of their position, role or job category.

All individuals subject to the HIPAA training requirements must receive a passing score of 70% or higher.

In addition to the core training requirements identified above, Workforce Members in Covered Components, individuals working with Covered Components and individuals who may come into contact with PHI because of the nature of their position, role or job category may be required to take additional training modules in the event of:

  1. A significant regulatory change;
  2. A material change in FAU’s compliance program or Notice of Privacy Practices; or
  3. Technology changes impacting privacy or security.

Research: Workforce members of a Covered Component may also be investigators conducting research involving PHI and as such must adhere to additional training requirements.  Researchers using PHI must complete the mandatory CITI HIPS training in addition to FAU required training under this policy.  Refer to http://www.fau.edu/research/researchint/hipaa.php.

PROCEDURE

All Workforce Members, and other individuals required to complete training as specified herein, are individually responsible for maintaining compliance with Privacy training requirements.  The units, clinics and divisions at FAU that employ those individuals must track and document compliance by their Workforce Members with these training requirements.

To access the training course, please follow these instructions:

 

Go to https://bb.fau.edu

1. Login to Blackboard with your FAU NetID.

2. In the middle of your screen, select “HIPAA Training and Information” under “My Organizations.”

3. Click on “HIPAA Training” in the left-hand column.

4. Proceed through the modules and complete the integrated tests before your assigned deadline. You may retake the integrated tests if necessary after further review of the training material. If you run into a message about a pop-up blocker, please see “Common Issues”

5. When you complete your tests, be sure to save a copy of your completion results.  You can do this by either:

Taking a screenshot of the “Course Test Results” Screen and saving it to your computer,

      OR

Clicking on “Completion Status” and clicking “Print Report” to print a report of your passing grade.

NOTE: The HIPAA Privacy Rule module has two exams. Please make sure to save a copy of the completion result of both exams.

6. Click on “Training Course” on the far left column in Blackboard to ensure that your score was recorded appropriately.  If your scores do not show up, and you have taken the exams already, please contact security@fau.edu for further assistance.

 

Common Issues:

Popup Blocked Message:

If you receive a message stating “Popup Blocked”, click the Button in the middle of the screen that says “Launch Course”, and then the link that says “Click Here to Launch the Course” in the window that pops up.  This will bypass the need to disable any popup blockers in your Web Browser.

For technical assistance with training, please contact the FAU Helpdesk by visiting: http://helpdesk.fau.edu.





 Last Modified 11/8/16